[keycloak-dev] oauth clients and session problems

Stian Thorgersen stian at redhat.com
Mon May 19 04:35:21 EDT 2014 

Can we have a hangout to this discuss this?

Another thing I thought about was that I think the session cookie should be persisted permanently even without remember-me enabled. That way instead of creating a new session after restarting the user can re-attach to the same session by a new login. The benefit here is that we are more likely to invalidate any refresh tokens created for that particular device/browser.

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 16 May, 2014 4:47:52 PM
> Subject: Re: [keycloak-dev] oauth clients and session problems
> 
> Surely the user has to login first though, before the oauth grant page is
> displayed?
> 
> Google, Facebook, Twitter, etc. all requires that you are logged in with them
> prior to displaying a grant page.
> 
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Friday, 16 May, 2014 4:38:59 PM
> > Subject: Re: [keycloak-dev] oauth clients and session problems
> > 
> > OAuth clients shouldn't create an identity cookie at least.  Again,
> > because the user might not know they are logged in.  Meaning, if the
> > user isn't already logged in, then the oauth grant page will not
> > set/refresh the KEYCLOAK_IDENTITY cookie.
> > 
> > I'm most worried about doing a oauth client grant and the user not
> > knowing they are logged in.  They step away from the browser, and still
> > have their SSO session active.
> > 
> > On 5/16/2014 11:30 AM, Stian Thorgersen wrote:
> > > In that case I'm not convinced. I'd expect all 'clients' to be logged out
> > > when I logout of the SSO realm. Unless I've explicitly granted the client
> > > offline access (something we don't really support atm).
> > >
> > > ----- Original Message -----
> > >> From: "Bill Burke" <bburke at redhat.com>
> > >> To: "Stian Thorgersen" <stian at redhat.com>
> > >> Cc: keycloak-dev at lists.jboss.org
> > >> Sent: Friday, 16 May, 2014 4:09:00 PM
> > >> Subject: Re: [keycloak-dev] oauth clients and session problems
> > >>
> > >> No, I'm talking about browser-based oauth grant.  Where the client
> > >> initiating the token request is an oauth client and the user has to
> > >> login and go to the oauth grant page.
> > >>
> > >> On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
> > >>> Are you talking about 'tokens/grants/access'?
> > >>>
> > >>> ----- Original Message -----
> > >>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>> To: keycloak-dev at lists.jboss.org
> > >>>> Sent: Friday, 16 May, 2014 2:48:06 PM
> > >>>> Subject: [keycloak-dev] oauth clients and session problems
> > >>>>
> > >>>> I think oauth grants are a different animal than application logins.
> > >>>> Applications are part of an SSO session, while oauth grants will
> > >>>> probably not want to be part of an SSO session.  Why? If an Oauth
> > >>>> grant
> > >>>> requires entering in user credentials, right now, Keycloak will create
> > >>>> a
> > >>>> identity cookie.  The user might not know in this situation that they
> > >>>> need to logout.
> > >>>>
> > >>>> I was thinking that:
> > >>>>
> > >>>> 1. OAuth Client grant requests should always have a new session
> > >>>> created
> > >>>> for them.
> > >>>> 2. OAuth client grant requests should not ever set any cookies.  Its
> > >>>> ok
> > >>>> to use existing cookies for authentication though.
> > >>>> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be
> > >>>> overridable
> > >>>> for each oauth client and application.
> > >>>>
> > >>>> --
> > >>>> Bill Burke
> > >>>> JBoss, a division of Red Hat
> > >>>> http://bill.burkecentral.com
> > >>>> _______________________________________________
> > >>>> keycloak-dev mailing list
> > >>>> keycloak-dev at lists.jboss.org
> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>>>
> > >>
> > >> --
> > >> Bill Burke
> > >> JBoss, a division of Red Hat
> > >> http://bill.burkecentral.com
> > >>
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list